Tierney - stock.adobe.com
Cloud adoption is one way businesses are seeking to become more agile, but that means they have to become more agile in terms of cyber security too, according to Greg Day, chief security officer for Europe at Palo Alto Networks.
“This may be things we do in the cloud, but it is also about things we can do in our traditional infrastructure,” he told attendees of the Palo Alto Networks Cloud Security Summit in London.
At the heart of the challenge, said Day, is the fact the business is wanting to move faster all the time and so is building whatever it needs to do that in terms of information systems, without waiting for the go-ahead from the security team under the assumption that security will catch up eventually.
The challenge, therefore, he said is for security professionals to think about the speed at which their business is looking to change and to ask themselves if they are working at the same pace.
Another key part of the challenge, said Day, is to establish the true level of development being carried out by operational teams. “I will guarantee that there are people in your business doing DevOps in their own little bubble [that IT security teams may not know about],” he added.
The problem with that, he said, is that DevOps is like “fertile grass” that starts off “in a little corner” and is almost unnoticeable. “But then all of a sudden it is everywhere, and once it is in there, it is really hard to pull out because the roots grow really deep,” he said.
As a result, said Day, DevOps teams that do not have any security guidance or information are running pilots for the business that often becomes mainstream projects that have never been cleared by security and may be full of inherent security risks.
“Information security teams need to ask themselves if they have complete visibility of what is going on in the IT environment and whether they working to the same drum beat as the business, because if you are not, it is really difficult to catch up later,” he said.
While many organisations are following a recognised security framework such as ISO 27001 that sets out best practices for ensuring visibility and developing capability to prevent, detect and respond, Day said research by Palo Alto Networks shows that as businesses make the shift to cloud, basic security capability is reduced.
Only 22% of organisations polled in Europe said they had visibility across their entire IT estate, and only 13% said they were confident they had the ability to apply any security action across all of their infrastructure, which implies that in the majority of companies security is not moving at the same pace as the business.
Information security teams, said Day, need to understand the rate at which the business is introducing new technologies and work out strategies for evolving its controls and processes at the same pace to accommodate that change, which in many cases is measured in weeks, not months.
“As we move to the cloud, we move from buying big data servers and building big infrastructures to paying for what we use on demand, and the great news is that we can do the same in cyber security to function in parallel with the business at the same pace,” he said.
However, Day said purchasing resources is just one part of the equation. Security teams also have to ensure that they can operate at the same speed as the business, but scripts and batch files that have long been used to automate security processes are no longer able to keep up.
“DevOps teams are all about the automation of code. So I challenge you to start looking at some of the DevOps models and think about how to turn cyber security into code. Information security teams need to make their configurations into DevOps teams as agile and as code-based as they are,” he said.
Day urged infosec professionals to look at their configuration processes and find ways of turning them into code, adding that Palo Alto Networks has already produced a set of configuration templates that are available online to help organisations make their cyber security more agile.
“Some of this has to be done in the cloud, but you can just as easily start with the firewalls in the business or security of your endpoints because all of them can benefit from this same mindset.”
In summary, Day said infosec pros need to understand the timescale of their businesses in terms of adopting new processes and ensure they are working as fast as the fastest to be as agile as the business; ensure they have the right information to take advantage of the capabilities that are coming from machine learning and analytics; and ensure they are in step with the business in terms of moving from the old capital expenditure heavy models to the more agile models.
Just as the Wright Brothers, Concorde and Virgin Galactic have redefined air travel, information security professionals need to do the same in cyber security to ensure their processes are as agile as the business, said Day.
Although this may seem like a daunting thing to do, he said it is important to make a start, and this can be done with any one project that can be used as a “catalyst for change” to become more agile such as reviewing endpoint security, securing DevOps and building detection and response capabilities.
In light of the fact that technology has enabled robots to solve the Rubik’s cube nine times faster than the human record, Day said organisations need to think how they can use technology to make their cyber security capacity more agile.
“Just think if you could deal with the security events alerts and events in your business nine times faster, how many events could you process through the use of technology to free up your limited human skills to focus on the most complicated things?” he added.
Read more about cloud security
- When choosing a cloud security provider, enterprises will need to consider the level of data privacy and data security risk involved.
- Cloud-based business initiatives are accelerating more rapidly than security teams can secure them, a survey reveals.
- As businesses increasingly adopt cloud-first strategies, how can they ensure their security is up to scratch?